[src/trunk]: src wg: Check mbuf chain length before m_copydata.

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src wg: Check mbuf chain length before m_copydata.
From: riastradh <riastradh%NetBSD.org@localhost>
Date: Thu, 27 Aug 2020 05:14:45 +0000

details:   https://anonhg.NetBSD.org/src/rev/8b64f47c7e17
branches:  trunk
changeset: 937797:8b64f47c7e17
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Thu Aug 27 02:52:33 2020 +0000

description:
wg: Check mbuf chain length before m_copydata.

diffstat:

 sys/net/if_wg.c           |  20 +++++++++++-
 tests/net/if_wg/t_misc.sh |  75 ++++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 92 insertions(+), 3 deletions(-)

diffs (138 lines):

diff -r 6c610b8104c6 -r 8b64f47c7e17 sys/net/if_wg.c
--- a/sys/net/if_wg.c   Thu Aug 27 02:51:49 2020 +0000
+++ b/sys/net/if_wg.c   Thu Aug 27 02:52:33 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: if_wg.c,v 1.24 2020/08/26 16:03:41 riastradh Exp $     */
+/*     $NetBSD: if_wg.c,v 1.25 2020/08/27 02:52:33 riastradh Exp $     */
 
 /*
  * Copyright (C) Ryota Ozaki <ozaki.ryota%gmail.com@localhost>
@@ -41,7 +41,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.24 2020/08/26 16:03:41 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.25 2020/08/27 02:52:33 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -2915,9 +2915,25 @@
 
        WG_TRACE("enter");
 
+       /* Verify the mbuf chain is long enough to have a wg msg header.  */
+       KASSERT(offset <= m_length(m));
+       if (__predict_false(m_length(m) - offset < sizeof(struct wg_msg))) {
+               m_freem(m);
+               return -1;
+       }
+
+       /*
+        * Copy the message header (32-bit message type) out -- we'll
+        * worry about contiguity and alignment later.
+        */
        m_copydata(m, offset, sizeof(struct wg_msg), &wgm);
        WG_DLOG("type=%d\n", wgm.wgm_type);
 
+       /*
+        * Handle DATA packets promptly as they arrive.  Other packets
+        * may require expensive public-key crypto and are not as
+        * sensitive to latency, so defer them to the worker thread.
+        */
        switch (wgm.wgm_type) {
        case WG_MSG_TYPE_DATA:
                m_adj(m, offset);
diff -r 6c610b8104c6 -r 8b64f47c7e17 tests/net/if_wg/t_misc.sh
--- a/tests/net/if_wg/t_misc.sh Thu Aug 27 02:51:49 2020 +0000
+++ b/tests/net/if_wg/t_misc.sh Thu Aug 27 02:52:33 2020 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: t_misc.sh,v 1.2 2020/08/27 02:51:49 riastradh Exp $
+#      $NetBSD: t_misc.sh,v 1.3 2020/08/27 02:52:33 riastradh Exp $
 #
 # Copyright (c) 2018 Ryota Ozaki <ozaki.ryota%gmail.com@localhost>
 # All rights reserved.
@@ -588,6 +588,78 @@
        cleanup
 }
 
+atf_test_case wg_malformed cleanup
+wg_malformed_head()
+{
+
+       atf_set "descr" "tests malformed packet headers"
+       atf_set "require.progs" "nc" "rump_server" "wgconfig" "wg-keygen"
+       atf_set "timeout" "10"
+}
+
+wg_malformed_body()
+{
+       local ifconfig="atf_check -s exit:0 rump.ifconfig"
+       local ping="atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w 1"
+       local ip_local=192.168.1.1
+       local ip_peer=192.168.1.2
+       local ip_wg_local=10.0.0.1
+       local ip_wg_peer=10.0.0.2
+       local port=51820
+       setup_servers
+
+       # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer
+       generate_keys
+
+       export RUMP_SERVER=$SOCK_LOCAL
+       setup_common shmif0 inet $ip_local 24
+       setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local"
+
+       export RUMP_SERVER=$SOCK_PEER
+       setup_common shmif0 inet $ip_peer 24
+       setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer"
+
+       export RUMP_SERVER=$SOCK_LOCAL
+       add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32
+
+       export RUMP_SERVER=$SOCK_PEER
+       add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32
+
+       export RUMP_SERVER=$SOCK_LOCAL
+
+       $ping $ip_wg_peer
+
+       printf 'send malformed packets\n'
+
+       $HIJACKING ping -c 1 -n $ip_peer
+
+       printf 'x' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+       printf 'xy' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+       printf 'xyz' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+       printf 'xyzw' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+       printf '\x00\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+       printf '\x00\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+       printf '\x01\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+       printf '\x01\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+       printf '\x02\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+       printf '\x02\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+       printf '\x03\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+       printf '\x03\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+       printf '\x04\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+       printf '\x04\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port
+
+       printf 'done sending malformed packets\n'
+
+       $ping $ip_wg_peer
+}
+
+wg_malformed_cleanup()
+{
+
+       $DEBUG && dump
+       cleanup
+}
+
 atf_init_test_cases()
 {
 
@@ -597,4 +669,5 @@
        atf_add_test_case wg_mobility
        atf_add_test_case wg_keepalive
        atf_add_test_case wg_psk
+       atf_add_test_case wg_malformed
 }

Prev by Date: [src/trunk]: src/tests/net/if_wg Use wgconfig as intended to show diagnostics...
Next by Date: [src/trunk]: src/sys/net wg: Use m_pullup to make message header contiguous b...
Previous by Thread: [src/trunk]: src/tests/net/if_wg Use wgconfig as intended to show diagnostics...
Next by Thread: [src/trunk]: src/sys/net wg: Use m_pullup to make message header contiguous b...
Indexes:

Home | Main Index | Thread Index | Old Index